Confused about SELinux error

Petr Mensik pemensik at redhat.com
Mon Aug 14 13:26:00 UTC 2017


Hi Todd,

that means you are trying to save session.key into directory where SELinux is forbidding write access to named.
Session.key is file created once per start and removed before shutdown. I think you have something wrong with link /var/run/named -> /run/named link.
Default built-in value is /var/run/named/session.key. Default Fedora configuration uses /run/named/session.key. Both paths should work without difference.

Correct selinux type for files in /run/named is named_var_run_t. I think you should run instead:
$ restorecon -rv /run/named /var/run/named 

Then restart named service. Context of a new file should be already correct.

Do you have this option in you configuration file? What is its value?
# options { ...
session-keyfile "/run/named/session.key";

It would be helpful if you include you configuration in readable form, please.

Listed types are more likely types named is allowed to touch. I admit SELinux errors are often confusing. What you written here are hints to you how to solve the error, not the error itself.
More helpful errors would be printed by:
$ ausearch -i -ts today -m avc -m user_avc -m selinux_err

Regards,
Petr
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

----- Original Message -----
From: "ToddAndMargo" <ToddAndMargo at zoho.com>
To: bind-users at lists.isc.org
Sent: Friday, August 11, 2017 10:39:11 PM
Subject: Confused about SELinux error

Hi All,

What does this SELinux error mean when I start bin-chroot?

      # semanage fcontext -a -t FILE_TYPE 'session.key'

      where FILE_TYPE is one of the following: dnssec_trigger_var_run_t,
      ipa_var_lib_t, krb5_host_rcache_t, krb5_keytab_t, named_cache_t,
      named_log_t, named_tmp_t, named_var_run_t.

     # semanage fcontext -a -t named_var_run_t 'session.key'
     # restorecon -v 'session.key'


How am I suppose to know what "FILE_TYPE" they are talking about?

-T


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list